You Used PHP to Write WHAT?!

There is no single right answer to every problem and PHP is no exception. The dynamic programming language has its strengths and its weaknesses like any other language. PHP integrates very well with HTML and has hundreds of functions that make it a very capable programming language for a variety of tasks. It also has the ability to interact with the operating system like a scripting language. PHP is also widely held as the way to interact with databases of almost every type.

More on Dynamic Languages & Web Dev

You Used Python to Write WHAT?

You Used Perl to Write What?!

You Used JavaScript to Write What?

Beyond Ajax: Software Development, Two Years from Now

Why Ruby on Rails Succeeded

PHP is the go to guy for Web programming languages but are there things better left to Perl, Ruby, Java, JavaScript or Python? You bet there are. In particular, PHP is not thread safe—which means that multiple instances of the same routine may interact with each other, resulting in a crash on the Web server. PHP has suffered its share of security problems, and it isn’t particularly well-suited to large or extremely complex site implementations.

Despite some of its significant shortcomings, PHP is perhaps the most popular Web scripting language currently used in the world. Why is that? Some of the reasons may surprise you.

Editor’s Note: As the number of comments on this article demonstrate, several readers disagreed with our author’s opinions. Those readers may wish to also read our followup article: PHP’s Enterprise Strengths and Weaknesses, Take 2, in which Zend’s John Coggeshall responds with his own list of the Good, the Bad and the Ugly of PHP application development.

PHP’s Shining Beacon

Several dynamic or “scripting” languages, including PHP, Perl, Java and others, have their roots in the C language, which makes them a natural fit for developers making the transition from traditional application programming to Web programming. This makes the learning curve far less steep for those used to standard procedural languages. PHP has the advantage since it also integrates very well with HTML.

In fact, its full name is PHP: Hypertext Preprocessor (one of those famous Unix recursive acronyms), which means that it understands hypertext (HTML) without any special API or modifications. An API, application programming interface, is a set of libraries that allow programmers to interact with operating systems, databases or other applications by referencing those libraries inside an application. PHP has a long list of APIs and functions that expand its capability beyond that of any other contemporary Web scripting language.

PHP has enjoyed a long-lived association with databases, especially MySQL. However, PHP plays equally well with Oracle, DB2, SQLite, PostgreSQL, Sybase and Microsoft’s SQL Server. Migrating from one database server to another is usually quite simple since most of PHP’s functions have a common naming convention. A programmer can do simple global pattern replacements to change from one database brand to another. The following is an example of some often used MySQL functions and their Microsoft SQL Server equivalents.

• It is easy to learn: Its C-like syntax makes it an easy language to learn for programmers and nonprogrammers alike.
• It blends well with HTML: You can mix PHP scripts right inside your HTML or place HTML tags and code inside PHP files.
• PHP has a vast library of functions and APIs: PHP’s ability to interact with LDAP, databases and the file system makes it a great “one stop shop” for developers.
• You can rapidly create Web applications and database-backed applications: PHP is so often used with databases, especially open-source databases, that several books are available on the shared topic of PHP and MySQL.
• It is cross-platform capable: PHP is used on Windows, Linux, commercial flavors of Unix and MacOS X.

When should you use PHP?

• Creating an intranet site.
• Prototyping an application that will be converted to Java or some other language.
• Creating a Web database application.
• Deploying an inexpensive or quick solution.
• Using ready-made apps from Sourceforge.net or other sites.

The Dimmer Switch

But that’s not to say that PHP is always the best solution under every circumstance. In general you should not use PHP:

• Where data security is of high importance.
• In Shell or automated scripted applications.
• In enterprise applications where scalability takes higher precedence than economy.

Security and PHP

PHP isn’t inherently insecure. But it has so many easy-to-use functions that, unless you use it wisely, you can get into real trouble. First is the issue of global variables: variables that are available without declaration, available throughout the scope of the code and used throughout a page or script. Later versions of PHP have disabled this feature; beginning with PHP version 6.0 the feature is omitted completely. The security issue doesn’t exist by design, but with sloppy programming the risk is elevated. Variables should always be initialized before use in any programming language. Most languages require it anyway.

Some other security issues are mitigated in the php.ini file, the main configuration file for the PHP environment. Hundreds of directives and options in this file affect the programming environment. The php.ini file also mixes Windows and Unix/Linux configuration parameters so, depending on your operating system, there will be different options and paths to edit.

The PHP manual has an entire section dedicated to keeping your services and data more secure. Additional resources are available, such as a very good book from Apress, Pro PHP Security, by Snyder and Southwell, that addresses almost every imaginable security risk and solution.

Of course, if you resolve every possible security issue through design and programming, you may find that your system is on the slow side—another complaint rendered against PHP.

PHP at the Speed of Secure

The struggle between security and usability is a much-debated topic. The arguments go something like this: If you totally lock down a system, you may significantly limit usability. On the other hand, if you aren’t concerned about security, your site may be compromised. The best advice here is to secure your site and then assess its speed and usability.

PHP is sometimes criticized for being slow, and detractors claim that it has somehow been crippled in order to prompt users into purchasing the Zend Optimizer. In larger implementations, PHP can suffer performance hits and may need an external boost from a caching engine. That includes the Zend Optimizer, but several free caching engines are available that are just as capable. APC (Alternative PHP Cache) and eAccelerator are widely used in PHP shops.

The PHP Shell Game

PHP offers several functions to interact with the file system: shell_exec(), system(), passthru(), exec(), escapeshellcmd() and others. These are very handy functions to have around to do jobs like restarting processes, editing files, listing directory contents, executing a command or two but with great power comes great responsibility. These are very powerful functions and they should be used conservatively. It’s too easy for a developer to be lazy or seduced by these shell functions. Whether using them in a webpage or in a php shellsystem() function to list the contents of a directory, filter the listing with a grep to list only the files you want shown to the world.

When using PHP as a scripting language for command line scripts or automating tasks, you also must follow good rules of conduct. Elevating user privileges to perform some task or changing permissions on a file or directory is usually the wrong answer. Find another way to do it. For greater speed, flexibility and security, use perl or shell scripting for such tasks. Perl’s pattern matching with regular expressions is well known to be superior to that of any other language. Developers can call perl scripts from within PHP scripts and pages.

Unlike perl, PHP has certain timing and memory limitations for a script. If a script exceeds its prescribed time or memory limits, the script dies. You risk having frustrated users and a lot of troubleshooting to do. These parameters may be altered via the php.ini file but for the associated drain on the system; you should just use perl.

PHP and Scalability

Each new version of PHP that is released gives hope that PHP will be scalable into enterprise-level applications. So far, it has fallen short of those lofty promises.

PHP isn’t Java. PHP 6.0 gets closer to some of the necessary components for true enterprise applications but there’s still work to be done. For large enterprise solutions, PHP makes a great prototyping or feasibility tool, but heavily loaded sites that require thread safety, security and stability should use Java.

PHP works well for prototyping because it is easy to get a site up and running. Use PHP to design the site, to determine functional needs and to solve performance bottlenecks—but when it comes time for development, tell the development team you want the result to look and act like this PHP site…but in Java (or another enterprise-ready language).

PHP has great potential for websites both internal and Internet facing. It does a lot of things very well, but like any tool, it can’t do everything. It makes sense to have several tools in your toolbox and to use the right tool for the job. PHP’s shortcomings come not from its design but from poor execution. PHP is a worthy and valuable tool for programmers, Web architects and those who like to tinker with something cool.

Kenneth Hess is a technical writer on a variety of open-source topics including databases, Linux, Web services and administration. He is also an avid PHP programmer who often ignores his own good advice about its use.